How can I determine who (or what) has blocked access to a centos user account?

linux user-accounts centos

CentOS 5.x

A user account on my CenTOS server has become inaccessible and I'm not sure why.

If I run chage -l foo I see: 

Minimum:     0
Maximum:     0 
Warning:     5
Inactive     -1
Last Change:         July 17, 2012
Password Expires:     Never
Password Inactive:    Never
Account Expires:      Never

I'm not sure what the -1 means but as far as I can tell based on the other settings, the system shouldn't expired or automatically lock out.

Assuming that's the case, where else can I look to troubleshoot this?

Also, will the symptoms appear the same if the account is automatically locked vs administratively disabled vs just having a changed password?

Update: I checked /var/log/secure and I'm seeing: 

Aug  9 07:11:14 foo sshd(pam_unix)[15122]: account foo has expired (failed to change password)
Aug 10 19:12:33 foo sshd(pam_unix)[900]: account foo has expired (failed to change password)

Interestingly enough, I'm also noticing entries like: 

Aug 13 10:12:00 foo sshd(pam_unix)[23222]: password for user foo will expire in 0 days

Does this last entry mean that the password will never expire? Or that it will expire today?


Solution 1:

I'm not sure what the -1 means

man chage says:

   -I, --inactive INACTIVE
       Set the number of days of inactivity after a password has expired before the account is locked. The
       INACTIVE option is the number of days of inactivity. A user whose account is locked must contact the
       system administrator before being able to use the system again.

       Passing the number -1 as the INACTIVE will remove an account's inactivity.

UPDATE Mon Aug 13 23:02:37 ICT 2012

account foo has expired (failed to change password)

It means that the foo account is expired and inactive. Reset his password.

password for user foo will expire in 0 days

Does this last entry mean that the password will never expire? Or that it will expire today?

That's why you see the Inactive -1 when running chage -l foo. The foo account will be inactive immediately after expiration.

If you set --inactive to different value than -1, the foo account has chance to do a "grace login" to change his password.

Related

Debian jessie upgrade OpenSSH server to latest
SSHd logs in Docker container not shown by `docker logs`
Getting 502 bad gateway after updating php to 5.5
Can I use Powershell to configure Local group policy settings in windows server 2008 r2
How to move VM to a new Virtual Network in Azure Portal
Stacking two Netgear GS748TS switches via HDMI - only 1Gbps trunk bandwidth?
How to copy KVM disk image to LVM
mkfs -O ^64bit,^metadata_csum -t ext4 in 2019
Is there a way to classify DHCP requests based on the interface they're coming from?
When specifying a "host name", do we still need to specify a port?
nginx accept HTTP & HTTPS requests on two different ports
What is the max number of websites / virtual directories one can host on IIS?